2 comments:

Why choose the PAP authentication? I'm curious, is the cleartext only inside our network between the ASA and the RADIUS server?? I am generally uncomfortable with any authentication not being encrypted so this made me wonder. It would obviously defeat the purpose of VPN for the passwords to be available in cleartext, so I'm assuming it's only inside the network. Please advise. Thanks! Your book is on the way to me.

Good point, Andrew. I chose to use PAP in the example purely for simplicity. RADIUS also supports other authentication protocols including CHAP and UNIX logins. (See RFC 2865). In future updates to the book, I'll most likely use a different authentication method. Frankly, if I were setting up AD authentication today for VPN users, I'd probably consider LDAP or Kerberos before RADIUS. I have some videos showing how to do that on my video channel. Thanks for your comment.